inspec-iggy 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 77411a21b6c3a1f74cdc23ab20f48d96af93a985
-  data.tar.gz: 0b32db4421f119d92343a7cd834e2953989ee3b7
+SHA256:
+  metadata.gz: 2fda35bc2132112d64bad18dab4c2082adb075b9e9a4f9e809297dcba8f34512
+  data.tar.gz: 3ece40720d734afcb5af8acd8eb54e193dc70c28ca4c87d38bf6d62bcb7c9637
 SHA512:
-  metadata.gz: eac8bdf420cb4951742c5e66038bfda33c7776d7c75b78fab08f8cff81c18883c956670991ea62a8c4822a290bb24981db267b93ca68a5aa0487db57ee0462ce
-  data.tar.gz: b01d470916ca825f4a30cc3376a3979815160efd76fe2ee6d1ecae8b98d6881b937b6fa139a050719b6b38dcd9c056e725a6984b4e389ad862be2d16af179279
+  metadata.gz: 1e34a5bee669e7e63948af184efe3395c45cc46e270d0ed929a8a3d11787d3a5c14f0827ab911050a0a9e1b8be00e32fca212d303b31f46e45c80d4b1119ccc1
+  data.tar.gz: 99ef09d4c2fd5d30896b934b7eda623f37ff24f018bc143dcb1f87f19ba13d70b6f6f620feb38dc44d99eac042baf801e48c77c6203cae796850bb4e316a8925

data/Gemfile

@@ -3,15 +3,11 @@ source 'http://rubygems.org'
 
 gemspec
 
+# follows InSpec's versions
 group :test do
-  gem 'rake'              # Build task manager
-  gem 'chefstyle'
-  gem 'byebug'            # A debugger REPL
-  gem 'rubocop'           # Needed for style linting
+  gem 'minitest', '~> 5.5'
+  gem 'rake', '>= 10'
+  gem 'rubocop', '= 0.49.1'
   gem 'm'
-end
-
-group :tools do
-  gem 'github_changelog_generator'
-  gem 'rb-readline'
+  gem 'pry-byebug'
 end

data/README.md

@@ -1,6 +1,6 @@
 # Description #
 
-[![Build Status Master](https://travis-ci.org/inspec/inspec-iggy.svg?branch=master)](https://travis-ci.org/inspec/inspec-iggy)
+[![Build Status Master](https://travis-ci.org/mattray/inspec-iggy.svg?branch=master)](https://travis-ci.org/mattray/inspec-iggy)
 
 InSpec-Iggy (InSpec Generate -> "IG" -> "Iggy") is an [InSpec](https://inspec.io) plugin for generating compliance controls and profiles from [Terraform](https://terraform.io) `tfstate` files and [AWS CloudFormation](https://aws.amazon.com/cloudformation/) templates. Iggy generates InSpec controls by mapping Terraform and CloudFormation resources to InSpec resources and exports a profile that may be used from the `inspec` CLI or uploaded to [Chef Automate](https://automate.chef.io/).
 
@@ -10,32 +10,34 @@ InSpec-Iggy (InSpec Generate -> "IG" -> "Iggy") is an [InSpec](https://inspec.io
 
 Iggy was originally a stand-alone CLI inspired by Christoph Hartmann's [inspec-verify-provision](https://github.com/chris-rock/inspec-verify-provision) and the blog post on testing [InSpec for provisioning testing: Verify Terraform setups with InSpec](http://lollyrock.com/articles/inspec-terraform/).
 
-The [CHANGELOG.md](https://github.com/inspec/iggy/blob/master/CHANGELOG.md) covers current, previous and future development milestones and contains the features backlog.
+The [CHANGELOG.md](https://github.com/mattray/iggy/blob/master/CHANGELOG.md) covers current, previous and future development milestones and contains the features backlog.
 
 1. [Requirements](#requirements)
-2. [Installation](#installation)
-3. [InSpec Terraform Generate](#itg)
-4. [InSpec Terraform Extract](#ite)
+2. [Support](#support)
+3. [Installation](#installation)
+4. [InSpec Terraform Generate](#itg)
 5. [InSpec Cloudformation Generate](#icg)
-6. [Testing](#testing)
+6. [Development and Testing](#development)
+
+# Support<a name="support"></a>
+
+InSpec-Iggy is a community-driven plugin that is not officially supported by Chef. We welcome patches, suggestions, and issues.
 
 # Requirements <a name="requirements"></a>
 
-Iggy generates compliance profiles for InSpec 2.3 and later, which includes the AWS and Azure resources. Because resources are continuing to be added to InSpec, you may want the latest version to support as many resource coverage as possible. It has currently been tested primarily with AWS but other InSpec-supported platforms should work as well.
+Iggy generates compliance profiles for InSpec 2.3 and later, which includes the AWS and Azure resources. Because resources are continuing to be added to InSpec, you may want the latest version to support as much resource coverage as possible. It has currently been tested primarily with AWS but other InSpec-supported platforms should work as well.
 
-Written and tested with Ruby 2.5.1.
+Written and tested with Ruby 2.6.
 
 # Installation <a name="installation"></a>
 
 `inspec-iggy` is a plugin for InSpec.  InSpec 2.3 or later is required.  To install, use:
 
-```
-$ inspec plugin install inspec-iggy
-```
+    $ inspec plugin install inspec-iggy
 
 # InSpec Terraform Generate<a name="itg"></a>
 
-     inspec terraform generate --tfstate terraform.tfstate --name myprofile
+    inspec terraform generate --tfstate terraform.tfstate --name myprofile
 
 Iggy dynamically pulls the available AWS resources from InSpec and attempts to map them to Terraform resources, producing an InSpec profile. ```inspec terraform generate --help``` will show all available options.
 
@@ -45,7 +47,6 @@ Iggy dynamically pulls the available AWS resources from InSpec and attempts to m
 
      -n, --name=NAME                  Name of profile to be generated (required)
      -t, [--tfstate=TFSTATE]          Specify path to the input terraform.tfstate (default: .)
-     [--debug], [--no-debug]          Verbose debugging messages
      [--copyright=COPYRIGHT]          Name of the copyright holder (default: The Authors)
      [--email=EMAIL]                  Email address of the author (default: you@example.com)
      [--license=LICENSE]              License for the profile (default: Apache-2.0)
@@ -54,37 +55,9 @@ Iggy dynamically pulls the available AWS resources from InSpec and attempts to m
      [--title=TITLE]                  Human-readable name for the profile (default: InSpec Profile)
      [--version=VERSION]              Specify the profile version (default: 0.1.0)
      [--overwrite], [--no-overwrite]  Overwrites existing profile directory
-
-# InSpec Terraform Extract (EXPERIMENTAL)<a name="ite"></a>
-
-    inspec terraform extract --tfstate terraform.tfstate
-
-## Tagging Profiles for Extract ##
-
-Compliance profiles are added to the Terraform Resource to be tested. The current 2 options are the ```aws_vpc``` or the ```aws_instance```. By tagging the ```aws_vpc``` you are specifying that the test is against the AWS API rather than individual machines. AWS instances tagged with compliance profiles will attempt to form command lines for ```inspec exec``` against them.
-
-### Tagging Format ###
-
-Given there is not support for lists within AWS tags, we use the convention of starting our tag names with ```inspec_name_``` and ```inspec_url_```. These are extracted and split to identify the relevant compliance profiles to run.
-
-```
-tags {
-    iggy_name_apache_baseline = "apache-baseline",
-    iggy_url_apache_baseline = "https://github.com/dev-sec/apache-baseline",
-    iggy_name_linux_baseline = "linux-baseline",
-    iggy_url_linux_baseline = "https://github.com/dev-sec/linux-baseline"
-}
-```
-
-### Potential Enhancements ###
-
-The current tagging for extraction implementation is directly tied to AWS. Other platforms such as Azure undoubtedly behave differently. Longterm this functionality should probably be turned into a Terraform Provider with predefined outputs.
-
-Subnet might be a better choice for tagging than VPCs, given they list the AZ.
-
-Currently it only supports URL-based compliance profiles. InSpec supports other formats (git, path, supermarket, compliance).
-
-inspec exec https://github.com/dev-sec/linux-baseline -t ssh://clckwrk@52.33.203.34 -i ~/.ssh/mattray-apac
+     [--debug], [--no-debug]          Verbose debugging messages
+     [--log-level=LOG_LEVEL]          Set the log level: info (default), debug, warn, error
+     [--log-location=LOG_LOCATION]    Location to send diagnostic log messages to. (default: STDOUT or Inspec::Log.error)
 
 # InSpec CloudFormation Generate<a name="icg"></a>
 
@@ -99,7 +72,6 @@ Iggy supports AWS CloudFormation templates by mapping the AWS resources to InSpe
      -n, --name=NAME                  Name of profile to be generated (required)
      -s, --stack=STACK                Specify stack name or unique stack ID associated with the CloudFormation template
      -t, --template=TEMPLATE          Specify path to the input CloudFormation template
-     [--debug], [--no-debug]          Verbose debugging messages
      [--copyright=COPYRIGHT]          Name of the copyright holder (default: The Authors)
      [--email=EMAIL]                  Email address of the author (default: you@example.com)
      [--license=LICENSE]              License for the profile (default: Apache-2.0)
@@ -108,48 +80,44 @@ Iggy supports AWS CloudFormation templates by mapping the AWS resources to InSpe
      [--title=TITLE]                  Human-readable name for the profile (default: InSpec Profile)
      [--version=VERSION]              Specify the profile version (default: 0.1.0)
      [--overwrite], [--no-overwrite]  Overwrites existing profile directory
+     [--debug], [--no-debug]          Verbose debugging messages
+     [--log-level=LOG_LEVEL]          Set the log level: info (default), debug, warn, error
+     [--log-location=LOG_LOCATION]    Location to send diagnostic log messages to. (default: STDOUT or Inspec::Log.error)
 
-# Development
+# Development and Testing<a name="development"></a>
+
+The [DESIGN.md](DESIGN.md) file outlines how the code is structured if you wish to extend functionality. We welcome patches, suggestions, and issues.
 
 ## Installation
 
 To point `inspec` at a local copy of `inspec-iggy` for development, use:
 
-```
-$ inspec plugin install path/to/your/inspec-iggy/lib/inspec-iggy.rb
-```
-
-# Testing Iggy<a name="testing"></a>
+    $ inspec plugin install path/to/your/inspec-iggy/lib/inspec-iggy.rb
 
+## Testing Iggy
 
 Unit, Functional, and Integration tests are provided, though more are welcome. Iggy uses the Minitest library for testing, using the classic `def test...` syntax. Because Iggy loads InSpec into memory, and InSpec uses RSpec internally, Spec-style testing breaks.
 
 To run all tests, run
 
-```
-$ bundle exec rake test
-```
+    $ bundle exec rake test
 
 Linting is also provided via Rubocop.
 
 To check for code style issues, run:
 
-```
-$ bundle exec rake lint
-```
+    $ bundle exec rake lint
 
 You can auto-correct many issues:
 
-```
-$ bundle exec rubocop -a
-```
+    $ bundle exec rake lint:auto_correct
 
 # License and Author #
 
 |                |                                           |
 |:---------------|:------------------------------------------|
 | **Author**     | Matt Ray (<matt@chef.io>)                 |
-| **Copyright:** | Copyright (c) 2017-2018 Chef Software Inc.|
+| **Copyright:** | Copyright (c) 2017-2019 Chef Software Inc.|
 | **License:**   | Apache License, Version 2.0               |
 
 Licensed under the Apache License, Version 2.0 (the "License");

data/inspec-iggy.gemspec

@@ -9,9 +9,9 @@ Gem::Specification.new do |spec|
   spec.version     = InspecPlugins::Iggy::VERSION
   spec.authors     = ['Matt Ray']
   spec.email       = ['matt@chef.io']
-  spec.summary     = 'InSpec plugin to generate InSpec compliance profiles from Terraform.'
-  spec.description = 'Generate InSpec compliance profiles from Terraform by tagging instances and mapping Terraform to InSpec.'
-  spec.homepage    = 'https://github.com/inspec/inspec-iggy'
+  spec.summary     = 'InSpec plugin to generate InSpec compliance profiles from Terraform and CloudFormation.'
+  spec.description = 'InSpec plugin to generate InSpec compliance profiles from Terraform and CloudFormation.'
+  spec.homepage    = 'https://github.com/mattray/inspec-iggy'
   spec.license     = 'Apache-2.0'
 
   spec.files = %w{

data/lib/inspec-iggy.rb

@@ -1,15 +1,7 @@
-# encoding: utf-8
-
-# This file is known as the "entry point."
-# This is the file InSpec will try to load if it
-# thinks your plugin is installed.
-
-# The *only* thing this file should do is setup the
-# load path, then load the plugin definition file.
-
 # Next two lines simply add the path of the gem to the load path.
 # This is not needed when being loaded as a gem; but when doing
-# plugin development, you may need it.  Either way, it's harmless.
+# plugin development, you may need it. Either way, it's harmless.
+
 libdir = File.dirname(__FILE__)
 $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
 

data/lib/inspec-iggy/cloudformation/cli_command.rb

@@ -1,20 +1,15 @@
-# encoding: utf-8
-#
-# Author:: Matt Ray (<matt@chef.io>)
-#
-# Copyright:: 2018, Chef Software, Inc <legal@chef.io>
-#
+# CloudFormation CLI command and options
 
 require 'inspec/plugin/v2'
 
 require 'inspec-iggy/version'
-require 'inspec-iggy/profile'
+require 'inspec-iggy/profile_helper'
 require 'inspec-iggy/cloudformation/parser'
 
 module InspecPlugins::Iggy
   module CloudFormation
     class CliCommand < Inspec.plugin(2, :cli_command)
-      subcommand_desc 'cloudformation SUBCOMMAND ...', 'Generate InSpec from CloudFormation'
+      subcommand_desc 'cloudformation SUBCOMMAND ...', 'Generate an InSpec profile from CloudFormation'
 
       # Thor.map(Hash) allows you to make aliases for commands.
       map('-v' => 'version')         # Treat `inspec terraform -v`` as `inspec terraform version`
@@ -84,7 +79,7 @@ module InspecPlugins::Iggy
         # hash of generated controls
         generated_controls = InspecPlugins::Iggy::CloudFormation::Parser.parse_generate(options[:template])
         printable_controls = InspecPlugins::Iggy::InspecHelper.cfn_controls(options[:title], generated_controls, options[:stack])
-        InspecPlugins::Iggy::Profile.render_profile(self, options, options[:template], printable_controls)
+        InspecPlugins::Iggy::ProfileHelper.render_profile(self, options, options[:template], printable_controls)
         exit 0
       end
     end

data/lib/inspec-iggy/cloudformation/parser.rb

@@ -1,35 +1,22 @@
-#
-# Author:: Matt Ray (<matt@chef.io>)
-#
-# Copyright:: 2018, Chef Software, Inc <legal@chef.io>
-#
+# parses CloudFormation JSON files
 
-require 'json'
 require 'inspec/objects/control'
 require 'inspec/objects/ruby_helper'
 require 'inspec/objects/describe'
 
+require 'inspec-iggy/file_helper'
 require 'inspec-iggy/inspec_helper'
 
 module InspecPlugins::Iggy::CloudFormation
   class Parser
-    def self.parse_generate(file) # rubocop:disable all
-      Inspec::Log.debug "CloudFormation.parse_generate file = #{file}"
-      begin
-        unless File.file?(file)
-          STDERR.puts "ERROR: #{file} is an invalid file, please check your path."
-          exit(-1)
-        end
-        template = JSON.parse(File.read(file))
-      rescue JSON::ParserError => e
-        STDERR.puts e.message
-        STDERR.puts "ERROR: Parsing error in #{file}."
-        exit(-1)
-      end
-      absolutename = File.absolute_path(file)
+    # parse through the JSON and generate InSpec controls
+    def self.parse_generate(cfn_template) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
+      template = InspecPlugins::Iggy::FileHelper.parse_json(cfn_template)
+      absolutename = File.absolute_path(cfn_template)
 
       # InSpec controls generated
       generated_controls = []
+
       # iterate over the resources
       cfn_resources = template['Resources']
       cfn_resources.keys.each do |cfn_res|
@@ -46,7 +33,7 @@ module InspecPlugins::Iggy::CloudFormation
 
         # does this match an InSpec resource?
         if InspecPlugins::Iggy::InspecHelper::RESOURCES.include?(cfn_res_type)
-          Inspec::Log.debug "CloudFormation.parse_generate cfn_res_type = #{cfn_res_type} MATCH"
+          Inspec::Log.debug "CloudFormation.parse_generate cfn_res_type = #{cfn_res_type} MATCHED"
 
           # insert new control based off the resource's ID
           ctrl = Inspec::Control.new
@@ -72,31 +59,31 @@ module InspecPlugins::Iggy::CloudFormation
             attr_split = attr.split(/(?=[A-Z])/)
             property = attr_split.join('_').downcase
             if inspec_properties.member?(property)
-              Inspec::Log.debug "CloudFormation.parse_generate #{cfn_res_type} inspec_property = #{property} MATCH"
+              Inspec::Log.debug "CloudFormation.parse_generate #{cfn_res_type} inspec_property = #{property} MATCHED"
               value = cfn_resources[cfn_res]['Properties'][attr]
               if (value.is_a? Hash) || (value.is_a? Array)
                 #  these get replaced at inspec exec
                 if property.eql?('vpc_id') # rubocop:disable Metrics/BlockNesting
                   vpc = cfn_resources[cfn_res]['Properties'][attr].values.first
                   # https://github.com/inspec/inspec/issues/3173
-                  describe.add_test(property, 'eq', "resources[#{vpc}]") unless cfn_res_type.eql?('aws_route_table') # rubocop:disable Metrics/BlockNesting
+                  describe.add_test(property, 'cmp', "resources[#{vpc}]") unless cfn_res_type.eql?('aws_route_table') # rubocop:disable Metrics/BlockNesting
                   # AMI is a Ref into Parameters
                 elsif property.eql?('image_id') # rubocop:disable Metrics/BlockNesting
                   amiref = cfn_resources[cfn_res]['Properties'][attr].values.first
                   ami = template['Parameters'][amiref]['Default']
-                  describe.add_test(property, 'eq', ami)
+                  describe.add_test(property, 'cmp', ami)
                 end
               else
-                describe.add_test(property, 'eq', value)
+                describe.add_test(property, 'cmp', value)
               end
             else
-              Inspec::Log.debug "CloudFormation.parse_generate #{cfn_res_type} inspec_property = #{property} SKIP"
+              Inspec::Log.debug "CloudFormation.parse_generate #{cfn_res_type} inspec_property = #{property} SKIPPED"
             end
           end
           ctrl.add_test(describe)
           generated_controls.push(ctrl)
         else
-          Inspec::Log.debug "CloudFormation.parse_generate cfn_res_type = #{cfn_res_type} SKIP"
+          Inspec::Log.debug "CloudFormation.parse_generate cfn_res_type = #{cfn_res_type} SKIPPED"
         end
       end
       Inspec::Log.debug "CloudFormation.parse_generate generated_controls = #{generated_controls}"

data/lib/inspec-iggy/file_helper.rb

@@ -0,0 +1,40 @@
+# helper methods for retrieving and parsing files
+
+require 'json'
+require 'open-uri'
+
+module InspecPlugins
+  module Iggy
+    class FileHelper
+      # boilerplate JSON parsing
+      def self.parse_json(file)
+        Inspec::Log.debug "Iggy::FileHelper.parse_json file = #{file}"
+        lfile = fetch(file)
+        begin
+          unless File.file?(lfile)
+            STDERR.puts "ERROR: #{lfile} is an invalid file, please check your path."
+            exit(-1)
+          end
+          JSON.parse(File.read(lfile))
+        rescue JSON::ParserError => e
+          STDERR.puts e.message
+          STDERR.puts "ERROR: Parsing error in #{lfile}."
+          exit(-1)
+        end
+      end
+
+      def self.fetch(url)
+        # if this is a file, just return it
+        return url if File.exist?(url)
+
+        begin
+          URI.parse(url).open
+        rescue OpenURI::HTTPError => e
+          STDERR.puts e.message
+          STDERR.puts "ERROR: Parsing error from URL #{url}"
+          exit(-1)
+        end
+      end
+    end
+  end
+end

data/lib/inspec-iggy/inspec_helper.rb

@@ -1,8 +1,4 @@
-#
-# Author:: Matt Ray (<matt@chef.io>)
-#
-# Copyright:: 2018, Chef Software, Inc <legal@chef.io>
-#
+# constants and helpers for working with InSpec
 
 require 'inspec'
 
@@ -15,10 +11,14 @@ module InspecPlugins
       # translate Terraform resource name to InSpec
       TRANSLATED_RESOURCES = {
         'aws_instance' => 'aws_ec2_instance',
+        'aws_v_p_c' => 'aws_vpc', # CFN
+        'azurerm_resource_group' => 'azure_resource_group',
+        'azurerm_virtual_machine' => 'azure_virtual_machine'
+        # "azure_virtual_machine_data_disk",
         # 'aws_route' => 'aws_route_table' # needs route_table_id instead of id
       }.freeze
 
-      # # there really should be some way to get this directly from InSpec's resources
+      # there really should be some way to get this directly from InSpec's resources
       def self.resource_properties(resource)
         # remove the common methods, in theory only leaving only unique InSpec properties
         inspec_properties = Inspec::Resource.registry[resource].instance_methods - COMMON_PROPERTIES
@@ -29,20 +29,6 @@ module InspecPlugins
         inspec_properties
       end
 
-      def self.print_commands(extracted_profiles)
-        extracted_profiles.keys.each do |cmd|
-          type = extracted_profiles[cmd]['type']
-          url = extracted_profiles[cmd]['url']
-          key_name = extracted_profiles[cmd]['key_name']
-          if type == 'aws_instance'
-            ip = extracted_profiles[cmd]['public_ip']
-            puts "inspec exec #{url} -t ssh://#{ip} -i #{key_name}"
-          else
-            puts "inspec exec #{url} -t aws://us-west-2"
-          end
-        end
-      end
-
       def self.tf_controls(title, generated_controls)
         content = "# encoding: utf-8\n#\n\n"
 
@@ -77,5 +63,20 @@ module InspecPlugins
       COMMON_PROPERTIES = Inspec::Resource.registry['aws_subnet'].instance_methods &
                           Inspec::Resource.registry['directory'].instance_methods
     end
+
+    # disabled extract functionality
+    # def self.print_commands(extracted_profiles)
+    #   extracted_profiles.keys.each do |cmd|
+    #     type = extracted_profiles[cmd]['type']
+    #     url = extracted_profiles[cmd]['url']
+    #     key_name = extracted_profiles[cmd]['key_name']
+    #     if type == 'aws_instance'
+    #       ip = extracted_profiles[cmd]['public_ip']
+    #       puts "inspec exec #{url} -t ssh://#{ip} -i #{key_name}"
+    #     else
+    #       puts "inspec exec #{url} -t aws://us-west-2"
+    #     end
+    #   end
+    # end
   end
 end

data/lib/inspec-iggy/plugin.rb

@@ -1,30 +1,17 @@
-# encoding: UTF-8
-
-# Plugin Definition file
-# The purpose of this file is to declare to InSpec what plugin_types (capabilities)
-# are included in this plugin, and provide hooks that will load them as needed.
-
-# It is important that this file load successfully and *quickly*.
-# Your plugin's functionality may never be used on this InSpec run; so we keep things
-# fast and light by only loading heavy things when they are needed.
-
 require 'inspec/plugin/v2'
 
 # The InspecPlugins namespace is where all plugins should declare themselves.
 # The 'Inspec' capitalization is used throughout the InSpec source code; yes, it's
 # strange.
 module InspecPlugins
-  # Pick a reasonable namespace here for your plugin.  A reasonable choice
-  # would be the CamelCase version of your plugin gem name.
   module Iggy
     class Plugin < ::Inspec.plugin(2)
       # Internal machine name of the plugin. InSpec will use this in errors, etc.
       plugin_name :'inspec-iggy'
 
       cli_command :terraform do
-        # Calling this hook doesn't mean iggy is being executed - just
-        # that we should be ready to do so. So, load the file that defines the
-        # functionality.
+        # Calling this hook doesn't mean iggy is being executed - just that we
+        # should be ready to do so. So, load the file that defines the functionality.
         # For example, InSpec will activate this hook when `inspec help` is
         # executed, so that this plugin's usage message will be included in the help.
         require 'inspec-iggy/terraform/cli_command'

data/lib/inspec-iggy/{profile.rb → profile_helper.rb}

@@ -1,15 +1,10 @@
-# -*- coding: utf-8 -*-
-#
-# Author:: Matt Ray (<matt@chef.io>)
-#
-# Copyright:: 2018, Chef Software, Inc <legal@chef.io>
-#
+# renders the profile from the parsed files
 
 require 'yaml'
 
 module InspecPlugins
   module Iggy
-    class Profile
+    class ProfileHelper
       # match the output of 'inspec init profile'
       def self.render_profile(cli_ui, options, source_file, controls)
         name = options[:name]
@@ -61,7 +56,7 @@ module InspecPlugins
         f.close
       end
 
-      #  * Create file controls/example.rb
+      #  * Create file controls/controls.rb
       def self.render_controls_rb(cli_ui, name, controls)
         render_file = "#{name}/controls/controls.rb"
         cli_ui.li "Create file #{cli_ui.mark_text(render_file)}"

data/lib/inspec-iggy/terraform/cli_command.rb

@@ -1,20 +1,15 @@
-# encoding: utf-8
-#
-# Author:: Matt Ray (<matt@chef.io>)
-#
-# Copyright:: 2018, Chef Software, Inc <legal@chef.io>
-#
+# Terraform CLI command and options
 
 require 'inspec/plugin/v2'
 
 require 'inspec-iggy/version'
-require 'inspec-iggy/profile'
+require 'inspec-iggy/profile_helper'
 require 'inspec-iggy/terraform/parser'
 
 module InspecPlugins::Iggy
   module Terraform
     class CliCommand < Inspec.plugin(2, :cli_command)
-      subcommand_desc 'terraform SUBCOMMAND ...', 'Extract or generate InSpec from Terraform'
+      subcommand_desc 'terraform SUBCOMMAND ...', 'Generate an InSpec profile from Terraform'
 
       # Thor.map(Hash) allows you to make aliases for commands.
       map('-v' => 'version')         # Treat `inspec terraform -v`` as `inspec terraform version`
@@ -78,17 +73,18 @@ module InspecPlugins::Iggy
         Inspec::Log.level = :debug if options[:debug]
         generated_controls = InspecPlugins::Iggy::Terraform::Parser.parse_generate(options[:tfstate])
         printable_controls = InspecPlugins::Iggy::InspecHelper.tf_controls(options[:title], generated_controls)
-        InspecPlugins::Iggy::Profile.render_profile(self, options, options[:tfstate], printable_controls)
+        InspecPlugins::Iggy::ProfileHelper.render_profile(self, options, options[:tfstate], printable_controls)
         exit 0
       end
 
-      desc 'extract [options]', 'Extract tagged InSpec profiles from terraform.tfstate'
-      def extract
-        Inspec::Log.level = :debug if options[:debug]
-        extracted_profiles = InspecPlugins::Iggy::Terraform::Parser.parse_extract(options[:tfstate])
-        puts InspecPlugins::Iggy::InspecHelper.print_commands(extracted_profiles)
-        exit 0
-      end
+      # disabled extract functionality
+      # desc 'extract [options]', 'Extract tagged InSpec profiles from terraform.tfstate'
+      # def extract
+      #   Inspec::Log.level = :debug if options[:debug]
+      #   extracted_profiles = InspecPlugins::Iggy::Terraform::Parser.parse_extract(options[:tfstate])
+      #   puts InspecPlugins::Iggy::InspecHelper.print_commands(extracted_profiles)
+      #   exit 0
+      # end
     end
   end
 end

data/lib/inspec-iggy/terraform/parser.rb

@@ -1,91 +1,23 @@
-#
-# Author:: Matt Ray (<matt@chef.io>)
-#
-# Copyright:: 2018, Chef Software, Inc <legal@chef.io>
-#
-
-require 'json'
+# parses Terraform d.tfstate files
 
 require 'inspec/objects/control'
 require 'inspec/objects/ruby_helper'
 require 'inspec/objects/describe'
 
+require 'inspec-iggy/file_helper'
 require 'inspec-iggy/inspec_helper'
 
 module InspecPlugins::Iggy::Terraform
   class Parser
+    # disabled extract functionality
     # makes it easier to change out later
-    TAG_NAME = 'iggy_name_'.freeze
-    TAG_URL = 'iggy_url_'.freeze
-
-    # boilerplate tfstate parsing
-    def self.parse_tfstate(file)
-      Inspec::Log.debug "Iggy::Terraform.parse_tfstate file = #{file}"
-      begin
-        unless File.file?(file)
-          STDERR.puts "ERROR: #{file} is an invalid file, please check your path."
-          exit(-1)
-        end
-        JSON.parse(File.read(file))
-      rescue JSON::ParserError => e
-        STDERR.puts e.message
-        STDERR.puts "ERROR: Parsing error in #{file}."
-        exit(-1)
-      end
-    end
-
-    # parse through the JSON for the tagged Resources
-    def self.parse_extract(file) # rubocop:disable Metrics/AbcSize
-      tfstate = parse_tfstate(file)
-      # InSpec profiles extracted
-      extracted_profiles = {}
-
-      # iterate over the resources
-      tf_resources = tfstate['modules'][0]['resources']
-      tf_resources.keys.each do |tf_res|
-        tf_res_id = tf_resources[tf_res]['primary']['id']
-
-        # get the attributes, see if any of them have a tagged profile attached
-        tf_resources[tf_res]['primary']['attributes'].keys.each do |attr|
-          next unless attr.start_with?('tags.' + TAG_NAME)
-          Inspec::Log.debug "Iggy::Terraform.parse_extract tf_res = #{tf_res} attr = #{attr} MATCHED TAG"
-          # get the URL and the name of the profiles
-          name = attr.split(TAG_NAME)[1]
-          url = tf_resources[tf_res]['primary']['attributes']["tags.#{TAG_URL}#{name}"]
-          if tf_res.start_with?('aws_vpc') # should this be VPC or subnet?
-            # if it's a VPC, store it as the VPC id + name
-            key = tf_res_id + ':' + name
-            Inspec::Log.debug "Iggy::Terraform.parse_extract aws_vpc tagged with InSpec #{key}"
-            extracted_profiles[key] = {
-              'type' => 'aws_vpc',
-              'az' => 'us-west-2',
-              'url' => url,
-            }
-          elsif tf_res.start_with?('aws_instance')
-            # if it's a node, get information about the IP and SSH/WinRM
-            key = tf_res_id + ':' + name
-            Inspec::Log.debug "Iggy::Terraform.parse_extract aws_instance tagged with InSpec #{key}"
-            extracted_profiles[key] = {
-              'type' => 'aws_instance',
-              'public_ip' => tf_resources[tf_res]['primary']['attributes']['public_ip'],
-              'key_name' => tf_resources[tf_res]['primary']['attributes']['key_name'],
-              'url' => url,
-            }
-          else
-            # should generic AWS just be the default except for instances?
-            STDERR.puts "ERROR: #{file} #{tf_res_id} has an InSpec-tagged resource but #{tf_res} is currently unsupported."
-            exit(-1)
-          end
-        end
-      end
-      Inspec::Log.debug "Iggy::Terraform.parse_extract extracted_profiles = #{extracted_profiles}"
-      extracted_profiles
-    end
+    # TAG_NAME = 'iggy_name_'.freeze
+    # TAG_URL = 'iggy_url_'.freeze
 
     # parse through the JSON and generate InSpec controls
-    def self.parse_generate(file) # rubocop:disable all
-      tfstate = parse_tfstate(file)
-      absolutename = File.absolute_path(file)
+    def self.parse_generate(tf_file) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
+      tfstate = InspecPlugins::Iggy::FileHelper.parse_json(tf_file)
+      absolutename = File.absolute_path(tf_file)
 
       # InSpec controls generated
       generated_controls = []
@@ -104,7 +36,7 @@ module InspecPlugins::Iggy::Terraform
 
           # does this match an InSpec resource?
           if InspecPlugins::Iggy::InspecHelper::RESOURCES.include?(tf_res_type)
-            Inspec::Log.debug "Iggy::Terraform.parse_generate tf_res_type = #{tf_res_type} MATCH"
+            Inspec::Log.debug "Iggy::Terraform.parse_generate tf_res_type = #{tf_res_type} MATCHED"
             tf_res_id = tf_resources[tf_res]['primary']['id']
 
             # insert new control based off the resource's ID
@@ -115,33 +47,102 @@ module InspecPlugins::Iggy::Terraform
             ctrl.impact = '1.0'
 
             describe = Inspec::Describe.new
-            # describes the resourde with the id as argument
-            describe.qualifier.push([tf_res_type, tf_res_id])
+            # describes the resource with the name as argument
+            # this is a hack for azure, we need a better longterm solution
+            if tf_res_type.start_with?('azure_')
+              name = tf_res_id.split('/').last
+            else
+              name = tf_res_id
+            end
 
-            # ensure the resource exists
-            describe.add_test(nil, 'exist', nil)
+            # describes the resource with the id as argument
+            # going to need to move the special Azure code out, and add helpers for each provider
+            if tf_res_type.start_with?('azure_')
+              if tf_res_type.eql?('azure_resource_group')
+                describe.qualifier.push([tf_res_type, name: name])
+              else
+                resource_group = tf_res_id.split('resourceGroups/').last.split('/').first
+                describe.qualifier.push([tf_res_type, name: name, group_name: resource_group])
+              end
+            else
+              describe.qualifier.push([tf_res_type, tf_res_id])
+            end
+
+            # ensure the resource exists unless Azure, which currently doesn't support it as of InSpec 2.2
+            describe.add_test(nil, 'exist', nil) unless tf_res_type.start_with?('azure_')
 
             # if there's a match, see if there are matching InSpec properties
             inspec_properties = InspecPlugins::Iggy::InspecHelper.resource_properties(tf_res_type)
+            # push stuff back into inspec_properties?
+            inspec_properties.push('name') if tf_res_type.start_with?('azure_')
             tf_resources[tf_res]['primary']['attributes'].keys.each do |attr|
               if inspec_properties.member?(attr)
-                Inspec::Log.debug "Iggy::Terraform.parse_generate #{tf_res_type} inspec_property = #{attr} MATCH"
+                Inspec::Log.debug "Iggy::Terraform.parse_generate #{tf_res_type} inspec_property = #{attr} MATCHED"
                 value = tf_resources[tf_res]['primary']['attributes'][attr]
-                describe.add_test(attr, 'eq', value)
+                describe.add_test(attr, 'cmp', value)
               else
-                Inspec::Log.debug "Iggy::Terraform.parse_generate #{tf_res_type} inspec_property = #{attr} SKIP"
+                Inspec::Log.debug "Iggy::Terraform.parse_generate #{tf_res_type} inspec_property = #{attr} SKIPPED"
               end
             end
 
             ctrl.add_test(describe)
             generated_controls.push(ctrl)
           else
-            Inspec::Log.debug "Iggy::Terraform.parse_generate tf_res_type = #{tf_res_type} SKIP"
+            Inspec::Log.debug "Iggy::Terraform.parse_generate tf_res_type = #{tf_res_type} SKIPPED"
           end
         end
       end
       Inspec::Log.debug "Iggy::Terraform.parse_generate generated_controls = #{generated_controls}"
       generated_controls
     end
+
+    # disabled extract functionality
+    # # parse through the JSON for the tagged Resources
+    # def self.parse_extract(file)
+    #   tfstate = parse_tfstate(file)
+    #   # InSpec profiles extracted
+    #   extracted_profiles = {}
+
+    #   # iterate over the resources
+    #   tf_resources = tfstate['modules'][0]['resources']
+    #   tf_resources.keys.each do |tf_res|
+    #     tf_res_id = tf_resources[tf_res]['primary']['id']
+
+    #     # get the attributes, see if any of them have a tagged profile attached
+    #     tf_resources[tf_res]['primary']['attributes'].keys.each do |attr|
+    #       next unless attr.start_with?('tags.' + TAG_NAME)
+    #       Inspec::Log.debug "Iggy::Terraform.parse_extract tf_res = #{tf_res} attr = #{attr} MATCHED TAG"
+    #       # get the URL and the name of the profiles
+    #       name = attr.split(TAG_NAME)[1]
+    #       url = tf_resources[tf_res]['primary']['attributes']["tags.#{TAG_URL}#{name}"]
+    #       if tf_res.start_with?('aws_vpc') # should this be VPC or subnet?
+    #         # if it's a VPC, store it as the VPC id + name
+    #         key = tf_res_id + ':' + name
+    #         Inspec::Log.debug "Iggy::Terraform.parse_extract aws_vpc tagged with InSpec #{key}"
+    #         extracted_profiles[key] = {
+    #           'type' => 'aws_vpc',
+    #           'az' => 'us-west-2',
+    #           'url' => url,
+    #         }
+    #       elsif tf_res.start_with?('aws_instance')
+    #         # if it's a node, get information about the IP and SSH/WinRM
+    #         key = tf_res_id + ':' + name
+    #         Inspec::Log.debug "Iggy::Terraform.parse_extract aws_instance tagged with InSpec #{key}"
+    #         extracted_profiles[key] = {
+    #           'type' => 'aws_instance',
+    #           'public_ip' => tf_resources[tf_res]['primary']['attributes']['public_ip'],
+    #           'key_name' => tf_resources[tf_res]['primary']['attributes']['key_name'],
+    #           'url' => url,
+    #         }
+    #       else
+    #         # should generic AWS just be the default except for instances?
+    #         STDERR.puts "ERROR: #{file} #{tf_res_id} has an InSpec-tagged resource but #{tf_res} is currently unsupported."
+    #         exit(-1)
+    #       end
+    #     end
+    #   end
+    #   Inspec::Log.debug "Iggy::Terraform.parse_extract extracted_profiles = #{extracted_profiles}"
+    #   extracted_profiles
+    # end
   end
 end

data/lib/inspec-iggy/version.rb

@@ -1,11 +1,7 @@
-# encoding: UTF-8
-#
-# Author:: Matt Ray (<matt@chef.io>)
-#
-# Copyright:: 2018, Chef Software, Inc <legal@chef.io>
-#
+# provide the version for the plugin
+
 module InspecPlugins
   module Iggy
-    VERSION = '0.4.0'.freeze
+    VERSION = '0.5.0'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-iggy
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Matt Ray
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-10-18 00:00:00.000000000 Z
+date: 2019-04-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inspec
@@ -30,8 +30,8 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: 4.0.0
-description: Generate InSpec compliance profiles from Terraform by tagging instances
-  and mapping Terraform to InSpec.
+description: InSpec plugin to generate InSpec compliance profiles from Terraform and
+  CloudFormation.
 email:
 - matt@chef.io
 executables: []
@@ -44,13 +44,14 @@ files:
 - lib/inspec-iggy.rb
 - lib/inspec-iggy/cloudformation/cli_command.rb
 - lib/inspec-iggy/cloudformation/parser.rb
+- lib/inspec-iggy/file_helper.rb
 - lib/inspec-iggy/inspec_helper.rb
 - lib/inspec-iggy/plugin.rb
-- lib/inspec-iggy/profile.rb
+- lib/inspec-iggy/profile_helper.rb
 - lib/inspec-iggy/terraform/cli_command.rb
 - lib/inspec-iggy/terraform/parser.rb
 - lib/inspec-iggy/version.rb
-homepage: https://github.com/inspec/inspec-iggy
+homepage: https://github.com/mattray/inspec-iggy
 licenses:
 - Apache-2.0
 metadata: {}
@@ -69,9 +70,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
-summary: InSpec plugin to generate InSpec compliance profiles from Terraform.
+summary: InSpec plugin to generate InSpec compliance profiles from Terraform and CloudFormation.
 test_files: []